Windbg cheatsheet

Hi everyone! This post is a compilation of commonly used commands or shortcuts on Windbg. I hope they will be useful to you.

By the way, if you need to use a kernel debugger, a tool I would recommend is VirtualKD-Redux which makes your life easier. There is already a documentation of the installation steps on its GitHub page.

Shortcuts

DescriptionShortcut
Attach to processF6
Debug restartCTRL+SHIFT+F5
Open executableCTRL+E
Open source code fileCTRL+O
Step-intoF11
Step-overF10

Commands

In WinDBG, all values are represented in hexadecimal. Do not include “0x” in the command.

PurposeCommand
Clear breakpointbc <breakpoint id>
Display memory (ASCII string|Byte|Dword|Pointer with Symbols|Unicode string|Word)d{a|b|d|ps|u|w} <register/address>
Example display memory of EAX in DWORD: dd eax
Display typedt <object name or address>
Execute till the next RET instructionpt
Quitq
List loaded moduleslm
Verbose on symbols!sym noisy
Reload module(s)’ symbol.reload {/i <module name}
Default reloads all modules. Specify /i flag and module name for specific module.
Set breakpointbp <program name> + <offset from relative address in hexadecimal without “0x”>
See breakpointsbl
See assembly code before the specified addressub <address/register>
See assembly code at and after the specified addressu <address/register>
See specific loaded module’s infolmvm <module name>
Start/Continue executiong
Step intot
Step overp

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.